問題描述

我一直在四處尋找并嘗試對 .NET Core Identity 進行更多研究(https://docs.microsoft.com/en-us/aspnet/core/security/authentication/identity?view=aspnetcore-2.1&tabs=visual-studio%2Caspnetcore2x)和 Jwt(json 網(wǎng)絡(luò)令牌).我一直在我的 .NET Core 2.0 應(yīng)用程序中使用默認身份作為身份驗證/授權(quán)，到目前為止它運行良好.

I've been looking around and trying to do more research on .NET Core Identity (https://docs.microsoft.com/en-us/aspnet/core/security/authentication/identity?view=aspnetcore-2.1&tabs=visual-studio%2Caspnetcore2x) and Jwt (json web tokens). I've been rolling with the default Identity as authentication/authorization in my .NET Core 2.0 app and it has been working well so far.

我遇到了障礙，我認為這是我理解 .NET Core 身份和 jwt 的方式.我的應(yīng)用程序有 MVC 和 web api.我理想地希望保護 web api，但我聽說現(xiàn)在最好的方法是通過 jwt.好 - 酷.

I'm running into a roadblock and I think it's the way of my understanding of .NET Core identity and jwt. My application has MVC and an web api. I would ideally like to secure the web api, but I hear the best way to do that now is through jwt. Good - cool.

我可以繼續(xù)配置 jwt，然后將其用作我的身份驗證/授權(quán) (https://blogs.msdn.microsoft.com/webdev/2017/04/06/jwt-validation-and-authorization-in-asp-net-core/)，但是 - 我需要繼續(xù)啟動一個新服務(wù)器作為 jwt 的授權(quán)服務(wù)器嗎?如果是這樣，我不會那樣做(太貴了).

I can go ahead and configure jwt and then use it as my authentication/authorization (https://blogs.msdn.microsoft.com/webdev/2017/04/06/jwt-validation-and-authorization-in-asp-net-core/), but - do I need to go ahead and spin up a new server to serve as the authorization server for jwt? If so, I'm not going to do that (too expensive).

如果我確實使用 jwt，我的 .NET Core 身份代碼會怎樣?那是不是必須要走了?如果它可以共存，我如何使用 Identity 授權(quán)我的 MVC 頁面并使用 jwt 授權(quán)我的 api 端點?

What about my .NET Core identity code if I do go with jwt? Does that have to go away then? If it can co-exist, how might I authorize my MVC pages with Identity and my api endpoints with jwt?

我知道這是一個開放式問題，但它的核心是:

I realize this is an open-ended question, but the core of it is:

.NET Core Identity 和 JWT 可以共存嗎?還是我必須選擇其中一個?我有 MVC 和一個 web api，并希望保護兩者.

推薦答案

是的，你可以.邏輯過程在這個方法中:

Yes, you can. The logic process is in this method:

第 1 步:獲取用戶聲明

var identity = await GetClaimsIdentity(credentials.UserName, credentials.Password);

• 您將進入 GetClaimsIdentity

• Into GetClaimsIdentity you will

private async Task<ClaimsIdentity> GetClaimsIdentity(string userName, string password)
{
    if (string.IsNullOrEmpty(userName) || string.IsNullOrEmpty(password))
        return await Task.FromResult<ClaimsIdentity>(null);

    var userToVerify = await _userManager.FindByNameAsync(userName);                

    if (userToVerify == null) {
        userToVerify = await _userManager.FindByEmailAsync(userName);
        if (userToVerify == null)  {
            return await Task.FromResult<ClaimsIdentity>(null);
        }
    }
    // check the credentials
    if (await _userManager.CheckPasswordAsync(userToVerify, password))
    {
        _claims = await _userManager.GetClaimsAsync(userToVerify);

        return await Task.FromResult(_jwtFactory.GenerateClaimsIdentity(userToVerify.UserName, userToVerify.Id, _claims));
    }
    // Credentials are invalid, or account doesn't exist
    return await Task.FromResult<ClaimsIdentity>(null);
}

第 2 步:將您需要添加到令牌的所有用戶聲明分組 - 使用 System.Security.Claims

 public ClaimsIdentity GenerateClaimsIdentity(string userName, string id, IList<Claim> claims)
    {
        claims.Add(new Claim(Helpers.Constants.Strings.JwtClaimIdentifiers.Id, id));

        // If your security is role based you can get then with the RoleManager and add then here as claims

        // Ask here for all claims your app need to validate later 

        return new ClaimsIdentity(new GenericIdentity(userName, "Token"), claims);
    }

第 3 步:然后返回您的方法，您必須生成并返回 JWT 令牌

jwt = await jwtFactory.GenerateEncodedToken(userName, identity);
return new OkObjectResult(jwt);

• 要生成令牌，請執(zhí)行以下操作:

  • To generate token do something like this:

    public async Task<string> GenerateEncodedToken(string userName, ClaimsIdentity identity)
    {
        List<Claim> claims = new List<Claim>();
        //Config claims
        claims.Add(new Claim(JwtRegisteredClaimNames.Sub, userName));
        claims.Add(new Claim(JwtRegisteredClaimNames.Jti, await _jwtOptions.JtiGenerator()));
        claims.Add(new Claim(JwtRegisteredClaimNames.Iat, ToUnixEpochDate(_jwtOptions.IssuedAt).ToString(), ClaimValueTypes.Integer64));
        //End Config claims
        claims.AddRange(identity.FindAll(Helpers.Constants.Strings.JwtClaimIdentifiers.Roles));
        claims.AddRange(identity.FindAll("EspecificClaimName"));
    
    
        // Create the JWT security token and encode it.
        var jwt = new JwtSecurityToken(
            issuer: _jwtOptions.Issuer,
            audience: _jwtOptions.Audience,
            claims: claims,
            notBefore: _jwtOptions.NotBefore,
            expires: _jwtOptions.Expiration,
            signingCredentials: _jwtOptions.SigningCredentials);
    
        var encodedJwt = new JwtSecurityTokenHandler().WriteToken(jwt);
    
        return encodedJwt;
    }
    

  有很多方法可以做到這一點.最常見的是:驗證身份用戶 --> 獲取用戶標識符 --> 根據(jù)標識符生成并返回令牌 --> 對端點使用授權(quán)

  There are many ways to do this. The most common is: Validate Identity User --> Get User identifiers --> Generate and Return Token Based on Identifiers --> Use Authorization for endpoints

  希望有幫助

  這篇關(guān)于.NET Core 2.0 身份和 jwt?的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網(wǎng)！

  【網(wǎng)站聲明】本站部分內(nèi)容來源于互聯(lián)網(wǎng),旨在幫助大家更快的解決問題，如果有圖片或者內(nèi)容侵犯了您的權(quán)益，請聯(lián)系我們刪除處理，感謝您的支持！